diff --git a/policy-20071130.patch b/policy-20071130.patch
index c98a216..bd7e535 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -4528,7 +4528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-04 10:23:03.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
@@ -4568,11 +4568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
ifdef(`distro_gentoo',`
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -49,3 +55,4 @@
+@@ -49,3 +55,6 @@
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
++/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
++/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.if 2008-02-01 16:01:42.000000000 -0500
@@ -4747,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-04 11:10:30.000000000 -0500
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4799,13 +4801,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +291,6 @@
+@@ -284,3 +291,7 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if 2008-02-01 16:01:42.000000000 -0500
@@ -5457,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-04 12:03:13.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -6109,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-01 16:48:52.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-04 10:16:22.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -8205,16 +8208,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-04 11:46:55.000000000 -0500
@@ -1,3 +1,5 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-01 22:35:15.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -8225,7 +8229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
########################################
#
# consolekit local policy
-@@ -24,6 +27,9 @@
+@@ -24,20 +27,26 @@
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
@@ -8235,7 +8239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
-@@ -36,8 +42,10 @@
+ kernel_read_system_state(consolekit_t)
+
+ corecmd_exec_bin(consolekit_t)
++corecmd_exec_shell(consolekit_t)
+
+ dev_read_urand(consolekit_t)
+ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -8246,7 +8256,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -50,12 +58,25 @@
+@@ -47,15 +56,31 @@
+
+ auth_use_nsswitch(consolekit_t)
+
++init_telinit(consolekit_t)
++init_rw_utmp(consolekit_t)
++
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
@@ -8273,17 +8289,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
hal_dbus_chat(consolekit_t)
optional_policy(`
-@@ -64,6 +85,32 @@
+@@ -64,6 +89,33 @@
')
optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
++ polkit_search_lib(consolekit_t)
+')
+
+optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
- ')
++ xserver_ptrace_xdm(consolekit_t)
++')
+
+optional_policy(`
+ #reading .Xauthity
@@ -8298,14 +8316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
-+')
+ ')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/cron.fc 2008-02-01 16:01:42.000000000 -0500
@@ -12652,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-04 12:04:01.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -12670,7 +12687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -37,30 +40,43 @@
+@@ -37,30 +40,45 @@
#
# newalias required this, not sure if it is needed in 'if' file
@@ -12679,6 +12696,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
++
++files_read_all_tmp_files(system_mail_t)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -12715,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -73,6 +89,7 @@
+@@ -73,6 +91,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -12723,7 +12742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
cron_dontaudit_write_pipes(system_mail_t)
')
-@@ -81,6 +98,11 @@
+@@ -81,6 +100,11 @@
')
optional_policy(`
@@ -12735,7 +12754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +158,33 @@
+@@ -136,11 +160,33 @@
')
optional_policy(`
@@ -12753,7 +12772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
-# should break this up among sections:
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
-+
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
@@ -12765,12 +12784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
-
++
+# should break this up among sections:
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +198,4 @@
+@@ -154,3 +200,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -14377,8 +14396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500
+@@ -0,0 +1,62 @@
+
+## policy for polkit_auth
+
@@ -14437,6 +14456,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+
+ files_search_var_lib($1)
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
++
++ # Broken placement
++ cron_read_system_job_lib_files($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
@@ -17750,7 +17772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-04 12:03:27.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -17779,7 +17801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,10 +74,12 @@
+@@ -69,13 +74,16 @@
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
@@ -17792,7 +17814,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
-@@ -97,20 +104,35 @@
++files_read_all_tmp_files(sendmail_t)
+
+ init_use_fds(sendmail_t)
+ init_use_script_ptys(sendmail_t)
+@@ -97,20 +105,35 @@
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@@ -17829,7 +17855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
-@@ -118,6 +140,7 @@
+@@ -118,6 +141,7 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -17837,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -125,24 +148,25 @@
+@@ -125,24 +149,25 @@
')
optional_policy(`
@@ -20191,7 +20217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-04 11:52:35.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -20393,16 +20419,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+-
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
--
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_t:process signal;
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
--
++ ps_process_pattern($2,xauth_t)
+
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
@@ -20416,8 +20443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
-+ ps_process_pattern($2,xauth_t)
-
+-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
-
@@ -20847,7 +20873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1411,45 @@
+@@ -1312,3 +1411,63 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -20893,9 +20919,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+')
+
++########################################
++##
++## Ptrace XDM
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_ptrace_xdm',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:process ptrace;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-04 11:50:03.000000000 -0500
@@ -16,6 +16,13 @@
##
@@ -20970,18 +21014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
-@@ -95,8 +134,8 @@
+@@ -95,8 +134,9 @@
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
++allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
++
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +148,8 @@
+@@ -109,6 +149,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -20990,7 +21035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +172,22 @@
+@@ -131,15 +173,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -21014,7 +21059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +201,7 @@
+@@ -153,6 +202,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -21022,7 +21067,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -184,6 +233,7 @@
+@@ -173,6 +223,8 @@
+
+ corecmd_exec_shell(xdm_t)
+ corecmd_exec_bin(xdm_t)
++# Uses DBUS
++corecmd_bin_entry_type(xdm_t)
+
+ corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+@@ -184,6 +236,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -21030,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -196,6 +246,7 @@
+@@ -196,6 +249,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -21038,7 +21092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +259,8 @@
+@@ -208,8 +262,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -21049,7 +21103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +277,7 @@
+@@ -226,6 +280,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -21057,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +297,7 @@
+@@ -245,6 +300,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -21065,7 +21119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +309,11 @@
+@@ -256,12 +312,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -21079,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,6 +322,10 @@
+@@ -270,6 +325,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -21090,7 +21144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -304,7 +360,16 @@
+@@ -304,7 +363,16 @@
')
optional_policy(`
@@ -21107,7 +21161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -322,6 +387,10 @@
+@@ -322,6 +390,10 @@
')
optional_policy(`
@@ -21118,7 +21172,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -343,8 +412,8 @@
+@@ -335,6 +407,11 @@
+ ')
+
+ optional_policy(`
++ polkit_domtrans_auth(xdm_t)
++ polkit_read_lib(xdm_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(xdm_t)
+ ')
+
+@@ -343,8 +420,8 @@
')
optional_policy(`
@@ -21128,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +449,7 @@
+@@ -380,7 +457,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -21137,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +461,15 @@
+@@ -392,6 +469,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -21153,7 +21219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,6 +482,7 @@
+@@ -404,6 +490,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -21161,7 +21227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -420,6 +499,14 @@
+@@ -420,6 +507,14 @@
')
optional_policy(`
@@ -21176,7 +21242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +516,103 @@
+@@ -429,47 +524,103 @@
')
optional_policy(`
@@ -21909,7 +21975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-04 12:02:32.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -22077,7 +22143,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1252,7 +1289,7 @@
+@@ -1097,6 +1134,25 @@
+
+ ########################################
+ ##
++## Read init script temporary data.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_script_tmp_files',`
++ gen_require(`
++ type initrc_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
++')
++
++########################################
++##
+ ## Create files in a init script
+ ## temporary data directory.
+ ##
+@@ -1252,7 +1308,7 @@
type initrc_var_run_t;
')
@@ -22086,7 +22178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1273,3 +1310,92 @@
+@@ -1273,3 +1329,92 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -22181,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-04 11:10:57.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -23045,7 +23137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-04 08:26:35.000000000 -0500
@@ -489,3 +489,44 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -25015,7 +25107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-01 22:19:29.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-04 08:23:21.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -28179,8 +28271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-02 17:10:42.000000000 -0500
-@@ -0,0 +1,135 @@
++++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-04 11:23:06.000000000 -0500
+@@ -0,0 +1,137 @@
+
+policy_module(virt,1.0.0)
+
@@ -28256,10 +28348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
++read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
-+files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
++manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
++filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
@@ -28699,8 +28793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500
+@@ -0,0 +1,51 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -28708,6 +28802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
+
++allow $staff_t self:capability sys_nice;
++
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+
@@ -28716,6 +28812,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
+
++miscfiles_read_hwdata(staff_t)
++
+sudo_per_role_template(staff, staff_t, staff_r)
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
+